Data protection

1. General information

a) Introduction

The protection of your personal rights during the processing of personal data is of the utmost concern to companies in MAN Group (hereinafter referred to as "MAN"). We process personal data in compliance with the provisions of the EU General Data Protection Regulation (GDPR) and in accordance with the legal regulations of the country in which the controller of the data processing is located.

Furthermore, MAN companies have undertaken to provide comprehensive and uniform protection of personal data through the implementation of a binding Group policy. Within MAN, this ensures a level of protection worldwide, which is comparable to that in Germany and the European Union.

Moreover, our employees are obliged to maintain confidentiality with regard to the handling of personal data.

b) Controller, contact person and information

The controller as defined by data protection law is the MAN company that processes your data as part of an existing or incipient contractual relationship.

In the event of questions relating to data protection, please contact the data protection officer/data protection coordinator at the MAN company with which you have or are initiating a contractual relationship.

2. Collection and processing of personal data

a) Purpose limitation and legal basis

MAN processes your personal data in order to execute and manage an existing or incipient contractual relationship with you. In this context, your personal data is processed for various purposes as part of a range of processing activities.

b) Data sources

As a rule, your personal data is collected directly from you as part of an existing or incipient contract relationship.

c) Obligation to provide data

You must provide to the controller the personal data required to execute the contractual relationship. If you do not provide this data, MAN cannot fulfil the relevant legal obligations and enter the contractual relationship.

d) Intended purpose of processing activities

An overview of the intended purpose of our processing activities is provided below:

Putting services and materials out to tenderlSending requests, calling in outstanding quotes, commercial review and completeness checking on quotes, and performing negotiations.

Order processing (materials and services)Writing, submitting, sending, and tracking orders in the system.

Supplier supportCommunication regarding products or services, responding to inquiries and requests, and bottleneck and risk management.

Compliance with legal obligations Compliance with retention obligations, ensuring that compliance requirements are met through checks (e.g. sanctions list checks and money laundering), operating an internal control system (ICS) and other monitoring systems for ensuring that business processes are in accordance with regulations.

The processed data can be classified into the following data categories:

Professional contact and (work) organizational data

IT usage data

Data on personal/professional circumstances & characteristics

Creditworthiness and bank data

Contractual data

The aforementioned processing activities are justified by the following legal bases:

Consent to one or more specified purposes (Art. 6(1)(a) of the GDPR)

Fulfilment of the contract or contract initiation (Art. 6(1)(b) of the GDPR)

Fulfilment of legal obligations (Art. 6(1)(c) of the GDPR)

Balancing of interests (Art. 6(1)(f) of the GDPR)

The existence of a relevant and appropriate relationship between the controller and the data subject

Prevention of fraud

Direct advertising

Transfer of data within a corporate group for internal management purposes (including customer and employee data)

3. Transfer of personal data

In certain cases, your personal data may also be disclosed to other bodies:

If the disclosure of your personal data is necessary in order to execute or initiate the contractual relationship, such as in the event of financing for the object of the contract or in the event of shared order processing with project-specific partners (e.g. body manufacturers).

We will also disclose your personal data to service providers commissioned by us in the framework of order processing (e.g. the digitization of paper invoices, and provision of a supplier platform).

Your core data and contact details are disclosed in a centralised database for the purpose of ensuring a uniform and current data stock and for credit checking (other companies in Volkswagen Group are also able to access this database).

If you have consented, we may also disclose your core data and contact details as well as offer and order data to corresponding companies in Volkswagen Group for the purpose of supplier support, such as communication.

If we are required to comply with country-specific legal requirements regarding the disclosure of your personal data, e.g. for transfer to financial authorities, courts, and auditors.

In order to ensure a high level of data privacy, data privacy contracts have been concluded with all companies in MAN and Volkswagen Group that receive data.

If we transfer personal data to affiliated companies or service providers outside the European Economic Area (EEA), the data transfer will only take place if the EU Commission has confirmed there is an adequate level of data privacy in the third country, or other adequate and sufficient data protection guarantees are in place (e.g. EU Standard Contractual Clauses or certification in accordance with the EU/US Privacy Shield).

4. Data storage and erasure

We erase your personal data as soon as it is no longer required for the purposes stated above.

Your personal data is stored for as long as we are required to do so by law, or for as long as statutory limitation periods apply. This regular arises due to legal obligations to provide proof and preserve records, governed by legislation including the Bürgerliches Gesetzbuch (BGB – German Civil Code), Handelsgesetzbuch (HGB – German Commercial Code), and the Abgabenordnung (AO – German Tax Code).

Beyond this, data is only saved if there are further statutory or contractual storage obligations to do so, such as in the context of product liability.

5. Your rights

You have the right to be informed about the data that relates to you, and the right to rectify your data. Provided that there are no statutory regulations to the contrary, you also have the right to erase your data and to object to the processing of your data, and the right to restrict the processing of your data. Furthermore, you have the right to data portability.

If we collect and process your personal data on the basis of your consent, you also have the right to revoke the consent you granted with effect for the future. The legality of the data processing carried out with your consent until you revoke it, remains unaffected by your withdrawal of consent.

If necessary, we need to verify your identity before we can process your requests.

If, in spite of our efforts to maintain accurate and up-to-date data, incorrect information has been saved, we will correct such information upon corresponding request.

In the event of complaints, there is the possibility to contact a data protection supervisory authority.

6. Automated decision-making

We do not perform automated individual decision-makings within the meaning of Art. 22 (1) & (4) of the GDPR.